Industry
Healthcare

Challenge
Prevent cyberattacks from successfully executing malware and other exploits on endpoints, including virtual desktops, and mitigate the risk of exposing confidential medical, personal, and financial data.

Answer
Palo Alto Networks Cortex XDR™ provides comprehensive detection and response across virtual desktop infrastructure, including advanced endpoint protection, behavioral analytics, and forensics. Subscriptions Cortex XDR

Outcomes

  • Automatically stops malicious processes delivered by phishing attacks
  • Detects malicious behavior typically missed by antivirus software
  • Provides visibility into user and machine behavior during cyberattacks
  • Preserves log data in a non-persistent VDI environment for forensic analysis
  • Streamlines root cause analysis from hours to minutes
  • Prevents information from leaving the premises on removable drives

Think Whole Person Healthcare

Organization

Think Whole Person Healthcare is one of the largest independent primary care clinics in the United States. An Accountable Care Organization serving 42,000 patients, collecting and analyzing patient outcomes data is key to Medicare

Story Summary

Think Whole Person Healthcare works to minimize risk for its endpoints by relying largely on a non-persistent virtual desktop infrastructure (VDI) in which virtual desktops are destroyed after every user session. This makes it difficult for persistent cyberthreats to gain traction and spread across the company’s network, but it doesn’t protect end users from phishing attacks or prevent malicious machine-to-machine behavior while sessions are active. Furthermore, physical endpoints and servers remain vulnerable.

To strengthen endpoint security and gain more insightful visibility into endpoint activity, Think deployed Cortex XDR across its physical and virtual endpoints. Now, Think has advanced endpoint protection, behavioral analytics, and rich forensics data in a comprehensive threat detection and response solution. With Cortex XDR, Think has been able to automatically prevent successful cyberattacks on its endpoints and analyze the chain of events to fully understand root cause, exploit behavior, and impact. This event intelligence enables the IT team to continually refine and strengthen its security posture to maximize protection as new cyberthreats and vulnerabilities emerge.

Protection Against Cyberthreats in a Virtual Desktop Environment

We have all been to the doctor for a routine check-up or to diagnose an illness or injury. For many, that means a trip to a primary care physician and then a referral to a specialist, if needed. The primary care physician may prescribe treatment, and the specialist may prescribe additional treatment. Rarely, however, do the two doctors coordinate their care for a patient.

Think Whole Person Healthcare is redefining that traditional approach to healthcare. Think follows a holistic approach to patient care, geared toward patients with chronic health conditions that require regular, ongoing care and attention. With the primary care physician at the center, Think provides a team of care coordinators to manage patients’ health in concert with specialists, pharmacists, physical therapists, and other clinicians. The goal is to deliver more proactive and interactive care to optimize medications, reduce the hospitalization rate, and enable patients to live healthier, happier lives.

Coordinating personalized healthcare across thousands of patients requires seamless access to electronic patient charts, lab and pharmacy systems, and other vital clinical applications. Administrative staff also must be able to coordinate scheduling, billing, and insurance processing among many other responsibilities. Because these systems hold confidential personal, financial, and medical information, securing access to them is of the utmost importance.

One of the core strategies Think uses to secure the enterprise is a non-persistent VDI, strictly limiting what each user is permitted to access and destroying each virtual desktop when the user logs out. This makes it very difficult for persistent cyberattacks, using malware or exploiting an operating system or application vulnerability, to gain any traction on the endpoint and spread across the network. However, as Derek Kuhr, Think’s technology systems architect, points out, it does not prevent malicious behavior and cyberthreats while VDI sessions are active. “What we worry about most is the end user who decides to click on an email link or attachment that starts calling out to the world and exposes private information,” he says.

Extending Cybersecurity Across Business and Operational Systems

To address this concern, Kuhr and his team explored options to better protect Think’s endpoints. This led them to Palo Alto Networks Cortex XDR as the right solution.

Intelligence to Detect and Stop Malicious Behavior

Like many organizations, Think used traditional antivirus software on its endpoints, but as Kuhr points out, traditional antivirus lacks visibility into end-user behavior and often misses anomalous system activity that could be malicious.

“We attended a lunch-and-learn featuring Cortex XDR and it was eye-opening,” Kuhr recalls. “Cortex XDR allows us to actually see what end users are doing at the endpoint—that they opened an email, then clicked on an attachment, which opened and executed some code. A lightbulb went off and I realized that’s what we need.”

With the Cortex XDR agent on all its endpoints, including VDI images, virtual machines, and physical workstations and servers, Think gains advanced threat prevention that goes beyond the signature-based approach of traditional antivirus software. Cortex XDR provides multiple detection methods, including behavioral analysis and scanning for dormant malware.

With analytics built on machine learning, Cortex XDR provides Kuhr and his team with a powerful, proactive tool for detecting and preventing potentially malicious behavior, whether human or machine, along with the automated response to prevent endpoints from being compromised. Shortly after enabling Cortex XDR, one of the first things the IT team discovered was someone using a USB drive to share information with another healthcare organization. It was legitimate work but not a secure practice, and the team had never seen it happening up to that point. Kuhr recalls, “Through Cortex XDR, we saw right away the running executable for the encryption program on this USB drive. We then created a Device Control profile within Cortex XDR to block USB devices.”

Think had also been the target of aggressive spear phishing attacks. Prior to having Cortex XDR, the team had to scramble to keep the attacks at bay, and they lacked any visibility into the specific actions of end users or how the malicious executable behaved. Today, it’s a much different picture. Kuhr says, “After we deployed Cortex XDR, we had another spear phishing incident, and the end user attempted to open a file. Cortex XDR automatically stopped the process before it could do any harm. Cortex XDR is seeing and stopping malicious system behaviors that traditional antivirus solutions won’t catch.”

End-to-End Forensics Data

The forensics capabilities within Cortex XDR have also proven valuable to the Think team. Because the VDI environment is non-persistent, as soon as users log out, all session data is lost. This used to make it difficult to investigate incidents after the fact. Following one incident, Think had to bring in an outside firm to conduct a forensics investigation, which spanned several months and required a lot of extra time from the IT team.

By contrast, Cortex XDR tracks and logs all session data, enabling the team to retrace an incident step by step in a matter of minutes. “The forensic part of Cortex XDR is a big thing for us,” Kuhr remarks. “Bringing back all that intelligence to a console where you can see the chain of events, what and where something was launched, and when we killed it—that, to me, is very powerful.”

He adds, “We’ve had questionable things happen on a VDI session and then have to spend half a day painstakingly going through log files making sure that the machine didn’t set something loose on our network. Now, I can go to the Cortex XDR console and see if it blocked the process. I can see exactly the calls it was making and to where. In a matter of minutes, I can look up the user and see all the activity in their last session. Then, based on what we learn, we can determine if we need to add any new filters to block the activity.”

With the comprehensive detection and response capabilities of Cortex XDR, Think’s lean IT team can manage security operations with minimal hands-on effort. They can also respond quickly when alerts require attention by zeroing in on the source of the problem instead of spending hours tracing the chain of events.

Kuhr sums up the value like this: “Cortex XDR gives us peace of mind. We know if something suspicious is going on, compared to before, having a silent console and not knowing there’s a problem unless someone called us.”

He concludes, “Cortex XDR gives us the full range of capabilities we need to protect our endpoints. We have the threat prevention along with the behavioral analytics watching for irregular events that could cause problems, and then the forensic data that takes us through each step of the execution of the process chain. All that, to me, is a very compelling solution.”

Related Resources

Get the latest news, invites to events, and threat alerts

Popular Resources

Legal Notices

Popular Links

Report a Vulnerability